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-Abstract- 

In this article, we develop a new and somewhat unexpected connection between higher-order 
model-checking and linear logic. Our starting point is the observation that once embedded in 
the relational semantics of linear logic, the Church encoding of a higher-order recursion scheme 
(HORS) comes together with a dual Church encoding of an alternating tree automata (ATA) 
of the same signature. Moreover, the interaction between the relational interpretations of the 
HORS and of the ATA identifies the set of accepting states of the tree automaton against the 
infinite tree generated by the recursion scheme. We show how to extend this result to alternating 
parity automata (APT) by introducing a parametric version of the exponential modality of linear 
logic, capturing the formal properties of colors (or priorities) in liigher-order model-checking. We 
show in particular how to reunderstand in this way the type-theoretic approach to liigher-order 
model-checking developed by Kobayaslii and Ong. We briefly explain in the end of the paper 
how this analysis driven by linear logic results in a new and purely semantic proof of decidability 
of the formulas of the monadic second-order logic for higher-order recursion schemes. 
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1 Introduction 

Thanks to the seminal works by Girard and Reynolds on polymorphism and parametricity 
in the 1970s, it has been recognized that every finite tree t on a given signature E can be 
seen alternatively as a simply-typed A-term of an appropriate type depending on E. This 
correspondence between trees and A-terms is even bijective if one considers A-terms up to 
/^-equivalence, see for instance Girard [7]. Typically, a finite tree t on the signature 


E = {a : 2, b :1,c:0} 


(1) 


is the same thing under this Church encoding as a simply-typed A-term t of type 


(o —>• o o) —► (o —>• o) —► o -* o 


( 2 ) 


modulo /3r/-equivalence. The idea underlying the correspondence is that every construc¬ 
tor a, 6, c of the signature E should be treated as a variable 


a : o —> o —> o 


b : o —y o 


c : o 


( 3 ) 
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where the number of inputs o in the type o —> ■ ■ ■ —> o —> o of the variable a, b , c indicates 
the arity of the combinator. An equally well-known fact is that this translation extends to 
infinite trees generated by higher-order recursion schemes on the signature S if one extends 
the simply-typed A-calculus with a fixpoint operator Y. For example, the higher-order 
recursion scheme Q on the signature E 


f S I—>■ F a b c 

1 F x y z x (y z) (F x y (y zj) 


( 4 ) 


constructs the infinite tree 


/ \ 


/ \ 


/ \ 


I I 


( 5 ) 


and can be formulated as a A-term of the same type (|3j) as previously but defined in the 
simply-typed A-calculus extended with the fixpoint operator Y : 


A abc. ((Y (XF. (Xxyz.x(y z) ( Fxy{yz ))))) abc ) 


( 6 ) 


A natural temptation is to study the correspondence between higher-order recursion schemes 
and simply-typed A-terms with fixpoints (|6) from the resource-aware point of view of 
linear logic. Recall that the intuitionistic type ([3]) is traditionally translated in linear logic 
as the formula 


A = ! ( ! o —°!o—°o)^!(!o—°o )—° \o o. 

As expected, the higher-order recursion scheme Q in Q can be translated as a proof tA of 
this formula A in linear logic extended with a fixpoint operator Y. An amusing and slightly 
puzzling observation is that the scheme Q can be alternatively translated as a proof ts of 
the formula B below: 

B = !(o—oo—oo)^>!(o—oo)^>!o—oo 

with the same underlying simply-typed A-term with fixpoint operator Y. The difference 
between the terms and ts is not syntactic, but type-theoretic: in the case of the term 
tA , the type A indicates that each tree-constructor a, b and c of the signature S is allowed 
to call its hypothesis as many times as desired: 

a:\o-o\o-oo b:\o-oo c : o 

whereas in the case of the term ts, the type B indicates that each variable a, 6, c calls each 
of its hypothesis exactly once: 

a : o —o o —° o b : o o c : o 

As a matter of fact, it appears that the proof is the image of the proof tA along a canonical 
coercion of linear logic 

b t : A-o B. 
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The status of this program transformation l is difficult to understand unless one recalls 
that linear logic is based on the existence of a perfect duality between the programs of a 
given type A and their environments or counter-programs which are typed by the linear 
negation A 1 - of the original type A. Accordingly, since the two terms t-A and ts = uotA are 
syntactically equal, their difference should lie in the class of counter-programs of type A 1 - 
or B - 1 which are allowed to interact with them. This idea takes its full flavour in the context 
of model-checking, when one realizes that every tree automaton A on the signature E may 
be seen as a counter-program whose purpose is indeed to interact with tA or ts in order to 
check whether a specific property of interest is satisfied by the infinite tree [£] generated by 
the recursion scheme Q. This leads to the tentative duality principle: 


higher-order 
recursion schemes Q 


tree automata A 


where a tree automaton A on the signature E is thus seen as a counter-program of type A 1 - 
or B 1 - interacting with the higher-order recursion scheme Q seen as a program of type A or B. 
An apparent obstruction to this duality principle is that, in contrast to what happens with 
recursion schemes Q , it is in general impossible to translate a tree automaton A as a proof of 
linear logic — in particular because linear logic lacks non-determinism. However, one neat 
way to resolve this matter and to extend linear logic with non-determinism is to embed the 
logic in its relational semantics, based on the monoidal category Rel of sets and relations. 
The relational semantics of linear logic is indeed entitled to be seen as a non-deterministic 
extension of linear logic where every nondeterministic tree automaton A = (E, Q , S, go) may 
be “implemented” by interpreting the base type o as the set Q of states of the automaton, 
and by interpreting each variable a, 6, c as the following relations 


a : Q Q Q b : Q —o Q c : Q 


deduced from the transition function S of the automaton: 

a = {(qi,q 2 ,q) e Q X Q x Q | (l,gi) A (2 ,q 2 ) G %,a)} 
b= {(qi,q) e Q X <3 I (l,gi) G S(q,b)} 
c= {q G Q | 6(q, c) = true} 

The nondeterministic tree automaton A is then interpreted as the counter-program Ab = 
!a 0 ! 60 !c 0 dof type 

B 1 - = ! (Q —o Q —o Q) <8) ! (Q —° Q) (8> ! Q 0 Q ± . 

obtained by tensoring the three relations a, b, c lifted with by the exponential modality ! 
together with the singleton d = {go} consisting of the initial state of the automaton, and 
understood as a counter-program of type . Note that by composition with the contra- 
posite A : B^ A 1 - of the coercion t, one gets a counter-program Aa = A o Ab of 

type 

A ± = ! (! Q -o ! Q Q) 0 ! (! Q Q) 0 ! Q 0 Q ± . 

Note also that when the type o is interpreted as Q in the relational model, the counter¬ 
programs of type B- 1 - of the form ! a 0 ! b 0 ! c 0 d with d = {go} correspond exactly to 
the non-deterministic tree automata on the signature E with set of states Q and initial 
state go- The difference between the two types A and B becomes very clear and meaningful 
at this stage: shifting to the type A 1 - enables one to extend the class of nondeterministic 
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tree automata to nondeterministic alternating tree automata A with typical transitions of 
the form 

S(q,a) = (1, gi) A (l,g 2 ) (7) 

meaning that the tree automaton A meeting the tree a(ti,t 2 ) at state q explores the left 
subtree t\ twice with states q± and g 2 and does not explore at all the right subtree t 2 . Such 
a transition S(q,a) is typically represented in the relational semantics of linear logic by the 
singleton relation 

a = { ( {| «7i, 921} , 0, q) } : \Q \ Q Q (8) 

where one uses the set ! Q of finite multisets of Q to encode the transition 0 with the 
finite multiset {|r/i, H consisting of the two states qi,q -2 £ Q and the empty multiset 0 
of states. It should be stressed that a tree automaton A admitting such an “alternating” 
transition S(q , a) cannot be encoded as a counter-program of type B 1 - because the transitions 
of the tree automaton A are linear in that type and thus explore exactly once each subtree t\ 
and t 2 of the tree a(ti,t 2 ). Summarizing the current discussion, we are entitled to consider 
that each linear type A 1 - and B 1 - reflects a specific class of tree automata on the signature £: 

R 1 -<->■ non-deterministic tree automata 

A x O non-deterministic alternating tree automata 

Accordingly, the purpose of the coercion l from tj\ to ts is to restrict the power of the 
class of alternating non-deterministic tree automata allowed to explore the infinite tree [£/] 
generated by the higher-order recursion scheme Q of signature £. 


Description of the paper 


The purpose of this paper is to show that this duality between recursion schemes and tree 
automata underlies several of the recent developments in the field of higher-order model¬ 
checking. To that purpose, we start by establishing in £j2] an equivalence between the in¬ 
tersection type system introduced by Kobayashi to describe infinitary coinductive proofs, 
and an infinitary variant of the traditional relational semantics of linear logic developed 
This correspondence between an intersection type system and a relational semantics 
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of linear logic adapts to the field of higher-order model-checking ideas dating back to Coppo, 
Dezani, Honsell and Longo [4] and recently revisited by Terui 25 and independently by de 
Carvalho [5] in order to establish complexity properties of evaluation in the simply-typed 
A-calculus. It may be also seen as an account based on linear logic of the semantic approach 
to higher-order model-checking developed by Aehlig in the early days of the field [l]. The 
main contribution of the paper is the observation developed in ^3] that this correspondence 
between intersection type systems and the relational semantics of linear logic extends to 
alternating parity games, and thus to the full hierarchy of the modal /r-calculus. This ex¬ 
tension relies on the construction of a parametric comonad in the sense of 16 defined as 
a family of modalities n m indexed by colors (or priorities) m £ N, equipped with a series 
of structural morphisms satisfying suitable coherence properties. The resulting intersection 
type system provides a clean and conceptual explanation for the type system designed by 


Kobayashi and Ong 15 in order to accomodate the hierarchy of colors. In particular, we 


show that a simpler but equivalent treatment of colors is possible. Finally, we explain in 
^3] in what sense the parametric comonad exhibited at the level of intersection types corre¬ 
sponds to a traditional notion of exponential modality at the level of the relational semantics 
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of linear logic. We obtain in this way a semantic reformulation of alternating parity games 
in an infinitary and colored variant of the relational semantics of linear logic. In particular, 
just as for finitary tree automata, a state q £ Q of the alternating parity automaton is 
accepted if and only if it is an element of the composite (in the relational semantics) of the 
recursion scheme with the tree automaton. 

2 The type-theoretic approach to higher-order model-checking 

Developing an idea by Hosoya, Pierce and Vouillon jl3], Kobayashi designed in [l4] a type- 
theoretic account of higher-order model-checking in the particular case of an alternating tree 
automata (ATA) testing for coinductive properties — and thus without parity conditions. In 
this section, we briefly recall his terminology and results, and explain the hidden connection 
with relational semantics. 


2.1 Recursion schemes and simply-typed A-terms with fixpoint 

Given a ranked alphabet E, we will consider in this paper two kinds of E-labelled trees of 
finite or countable depth: 

h ranked trees, typically generated by higher-order recursion schemes, in which the number 
of children of a node labelled with f £ E is equal to the arity ar(/) of its label, 
h unranked trees, typically used to describe run-trees of alternating automata, and where 
the previous arity constraint is relaxed. 

Given a base type _L, we will consider the set 1C of simple types, generated by the grammar 

n ::= 1 | k —> k 

modulo associativity of the arrow to the right. Every simple type has a unique decomposition 


K — —)■ • • * —} K n —)■ _L 


where n is the arity of n, denoted ar(ft). The complexity of n is typically measured by its 
order , defined inductively by order(«:) = 0 if n = 0 and 


order(«:) = 1 + max(order(K!),..., order(« n )) 


In the sequel, following Kobayashi 14 , we shall refer to simple types as kinds , to prevent 
confusions with intersection types. We write / :: k or t :: k when a symbol / or a term 
t has kind k. The formalism of higher-order recursion schemes (HORS) on a given ranked 
signature E may be seen as equivalent to simply-typed A-calculus with a recursion operator 
F and free variables / £ E of order at most 1. Consequently, every free variable / £ E of 
the AF-term corresponding to the recursion scheme has kind 


J_ _L —>■ _L. 

"-*-•' 

ar (/) 


(9) 


where ar(/) denotes the arity of the terminal f £ E. The normalization of the AF-term 
associated to the recursion scheme Q produces a potentially infinite ranked tree, labelled 
by its free variables. As we explained in the introduction, this translation of higher-order 
recursion schemes into AF-terms may be seen as an instance of the Church encoding of 
ranked trees over the signature E. 
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In order to check whether a given monadic second-order formula holds at the root of the 
infinite tree generated by a HORS, a traditional procedure is to explore it using an alter¬ 
nating parity automaton (APT). Every exploration of the APT produces a run-tree labelled 
by the same signature, but unranked because of the alternating nature of the automaton. 
The subclass of APT in which every state of the automaton is assigned color 0 (the least 
coinductive priority) defines the class of alternating tree automata (ATA), which can test 
coinductive properties like safety, but cannot test inductive properties like reachability. The 
definitions of HORS and APT, as well as the correspondence between APT and monadic 
second-order logic, are recalled in the Appendix. In the sequel, S denotes the start symbol of 
a recursion scheme Q , A f its set of non-terminals, and 1Z(F) denotes for every non-terminal 
F G Af the simply-typed A-term it rewrites to as F —>g TZ(F) in the recursion scheme Q. 

2.2 From kinds to intersection types 

In his original work, Kobayashi reduces the study of coinductive properties of higher-order 
recursion schemes to the definition of an intersection type system. The general idea is that 
every transition of an alternating tree automaton 

£(5o, if) = (2, go) A (2,gi) (10) 

may be understood type-theoretically as a refinement of the simple type 


and reformulated as an intersection type 

0 ->■ (q 0 A 91 ) ->• q 0 . 

This intersection type expresses the fact that, given any tree T\ and a tree T 2 accepted from 
both states qo and qi, the composed tree if T\ T 2 is accepted from the state go- Following 
this connection, Kobayashi defines for every HORS Q and every alternating tree automaton A 
without parity condition a type system Kob(Q,A ) satisfying the following property: 

► Theorem 1 (Kobayashi 1141). The sequent 

\~g,A S : q :: J_ 

is provable in Kob(Q 1 A) if and only if there is a run-tree of A over [(?] with initial state q. 

Note that the intersection type system Kob(Q,A) is somewhat ad hoc since it depends on Q 
and A , in contrast to the approach developed in the present paper, based on a Church 
encoding of Q and A in a single intersection type system formulated in ^3] and © 

2.3 Intersection types and the relational semantics of linear logic 

As a warm-up to the next two sections ^3] and ^4] and to the modal treatment of colors in 
alternating parity automata (APT), we explain here in the simpler coinductive case, how 
to relate Kobayashi’s intersection type system for alternating tree automata (ATA) to an 
infinitary variant of the relational semantics of linear logic. As already explained, the Church 
encoding of a ranked tree over the signature £ = {_/): ari \i G 1} defines a AF-term t, of 
simple type _L with free variables /, of kind © translated as the following formula of linear 
logic: 


fi ■■ 


for i G I. 
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The AF-term t itself is thus typed by the following sequent of linear logic: 

• • • , fi : ! ( j _L —o ■ • • —o ! _L —° -L ) , • ■ • h t : _L 

a.i 

From this follows that its interpretation [f] in the relational semantics of linear logic defines 
a subset of the following set of “higher-order states” 


M c 


where the return type _L is naturally interpreted as the set of states [_L] = Q of the alter¬ 
nating tree automaton. As explained in the introduction, the transition function A of the 
alternating tree automaton A is itself interpreted as a subset 


which may be “strengthened” in the categorical sense as a subset 


m e 


& 

iei 


! _L 


! L 



1*1 c 

where we turn to our advantage the well-known isomorphism of linear logic: 

\(AkB) = 



As explained in the introduction, a first contribution of the article is to establish the following 
result in the case of the traditional relational semantics of linear logic, extended here with 
a fixpoint operator Y: 


► Theorem 2. An alternating tree automaton A with a set of states Q has a finite accepting 
run-tree with initial state qo over the possibly infinite tree generated by a XY-term t if and 
only if there exists u £ [<F] such that (it, go) £ [t], where [<F] = .Ad/,„([£]) denotes the set 
of finite multisets of elements of [<5]. 


Another equivalent way to state the theorem is that the set of accepting states g 0 for a 
finite run-tree of the alternating tree automaton A is equal to the composition of [f] and 
of in the relational semantics. At this point, it appears that the only hurdle towards 
an extension of this theorem to the alternating tree automata with coinductive (rather than 
inductive) acceptance condition is the finiteness of multiplicities in the traditional relational 
interpretation of the exponential modality. For this reason, the authors developed in a 
companion paper 10 an infinitary variant Rel of the relational model of linear logic, where 


the exponential modality noted there « l » in order to distinguish it from the traditional « ! » 
transports every set A (of cardinality required to be smaller than the reals) to the set 


i A — XAcount^A) 


of finite-or-countable multisets of elements of A. In this alternative relational semantics, 
there is a coinductive fixpoint operator Y satisfying the equations of a Conway operator, 
and thus providing an interpretation of the AF-calculus. The infinitary interpretation of a 
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AK-term is denoted [f]^ in order to distinguish it from the traditional Unitary interpretation. 
Note that the interpretation [5]^ = [<5] is unchanged, and that its strengthening to [5^ 
reflects now the infinitary principles of the model. In particular, it is possible to detect 
whether a transition has been called a countable number of times. This brings us to the 
second main contribution of this article, which is to adapt the previous theorem for finite 
accepting run-trees to the general case of possibly infinite accepting run-trees: 


► Theorem 3. An alternating tree automaton A with a set of states Q has a possibly infinite 
accepting run-tree with initial state go over the possibly infinite tree generated by a XY-term t 
if and only if there exists u G |<v]^ such that (u,g 0 ) € Mi, where [5^ = M count (Mi) 
denotes the set of finite-or-countable multisets of elements o/[<5]^. 


This theorem should be understood as a purely semantic counterpart to Theorem [I| The 
connection is provided by the foundational and elegant work by Bucciarelli and Ehrlrard 
[2j[3] on indexed linear logic, which establishes a nice correspondence between the elements 
of the relational semantics and a finitary variant of intersection types. By shifting from 
finite to finite-or-countable multisets and intersection types, we are able to recover here the 
discriminating power of general alternating tree automata. In particular, the set of accepting 
states of the alternating tree automaton A is equal to the composition of [t]^ and of MJi 
in our infinitary variant of the relational semantics. 

We should mention however that there is a minor difference between our semantic result 
and the original Theorem[l] related to the fact that Kobayashi chose to work in a type system 
where intersection is understood as an idempotent operation. This choice is motivated in 
his work by the desire to keep the type system finitary, and thus to obtain decidability 
results. We prefer to work here with an infinitary relational semantics, corresponding to an 
infinitary and non-idempotent variant of Kobayashi’s intersection type system. The reason is 
that shifting from an infinitary to an idempotent intersection type system corresponds from 
a semantic point of view to shifting from an infinitary relational semantics to its extensional 
collapse. Ehrlrard 16] has recently established that the extensional collapse of the relational 
semantics is provided by a lattice model, where the formulas of linear logic are interpreted as 
partially ordered sets. This means that the corresponding intersection type systems should 
include a subtyping relation, as well-understood for instance by Terui in 25 . This subtyping 


relation is not mentioned in the original work by Kobayashi 14 nor in the later work by 
Kobayashi and Ong 15 and although their final result is certainly valid, this omission has 
lead to much confusion. 


3 A type-theoretic account of alternating parity automata 
3.1 Colored intersection types 


After designing in 14 the type-theoretic approach to alternating tree automata recalled in 


the previous section, Kobayashi carried on in this direction and generalized it with Ong 15 


to the larger class of alternating parity automata. The basic idea of this work is to incorpo¬ 
rate coloring annotations in the intersection types, in order to reflect in the type system the 
parity conditions of the tree automata. Suppose for instance that a binary terminal a G £ 
induces a transition 5(q,a) = (l,gi) A (2, g 2 ) in an alternating parity tree automaton with 
coloring function Q : Q —> N. In that case, the terminal a is assigned in 15 the intersection 
type 


a 


(gi,mi) (g 2 ,m 2 ) g 


( 11 ) 
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where m\ = max(Cl(qi),Cl(q)) and m 2 = max(Cl(q 2 ),Gl(q)) are colors indicating to the type 
system the colors of the states q, qi, (72 of the parity tree automaton. 

In order to prepare the later development of paper, we find useful to simplify the colored 
intersection type system originally formulated by Kobayashi and Ong, and to stress at the 
same time the modal nature of colors (or priorities) in higher-order model-checking. So, 
given a set of states Q and a coloring function : Q —> N, we define the set of colors 

Col = {fi(g) | q& Q) W {e} 

which contains the colors used by 17, together with an additional color e which will play the 
role of neutral element. The intersection types are then generated by the grammar 

9 ::= q \ t 6> (?£Q) 

t ::= /\. g/ 0 m; 6i (I finite, up G Col) 

The refinement relation between intersection types and kinds is defined by the inductive 
rules below: 

q G Q t :: K 1 6 K 2 Vi G I Qi :: K, 

q ■■■ ± t -»• 6 :: m -)• k 2 f\ ieI \si mi 0i :: K 

Note that the color modality acts on intersection types and contexts by 

0m ( /\i£I 0m* ” /\ieJ ®max(m,m{) 0m ( X T , A ) — X 0m T , 0m A 

Note also that the neutral color e is only introduced here to allow a uniform definition of 
types and contexts. It does not affect the coloring of types, and should be understood as 
the absence of a coloring annotation. From this, one obtains an intersection type system 
y(yl) parametrized by the alternating tree automaton A, whose rules are given in Figure [l] 
Here we use the Hebrew letter y which should be read “tsadi”. The resulting type system 
y(yl) enables us to type the rewriting rules of a higher-order recursion scheme 

A b 11(F) : cr :: k (12) 

where the non-terminals occurring in the A-term 1Z(F) appear as variables in the context A 
of the typing judgement. On the other hand, the intersection type system y(Al) does not 
include a fixpoint operator Y and for that reason does not accomodate recursion. 


3.2 Interpretation of recursion 

In order to accomodate recursion in the intersection type system y(Al), we need to extend 
it with a rule fix whose purpose is to expand the non-terminals F G Af of the recursion 
scheme Q in order to obtain possibly infinitary derivation trees. So, given a higher-order 
recursion scheme Q and an alternating parity automaton A, we define the intersection type 
system Yfi X (£/,A) as f(-4) where we add the recursion rule 


fix 


T b K(F) : 0 :: k 
F : 6 :: k b F : 0 :: k 


dom(r) C J\f 


and at the same time restrict the Axiom rule to variables x G V, and in particular do not 
allow the Axiom rule to be applied on non-terminals any more. 

An important aspect of the resulting intersection type system y fix(G, A) is that its derivation 
trees may be of countable depth. As in Kobayashi’s original type system, this infinitary 
nature of the intersection type system enables one to reflect the existence of infinitary runs 
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App 


Axiom 


x : Am ft :: K t~ x : Qi :: K 
{ ( i , qij) | 1 < i < n,l < j < A} satisfies <5a(9, a) 


{x £ V U Af) 


I - a : A?ii <7ij —»■■■■ —>• Ami @n( q ., Qnj —> q A —► • • ■ —>• A —> A 


a G E 


Ahi: (0 mi 9i A ■ ■ • A 0 mfc At) -» 9 :: 


Ai h u : fli :: k • • • A*, h « : 4 :: s 


A + ® m] Ai + ... + Afc (- tu \ 9 w k! 


A 


A, x /\ j 9i :: K h t : 9 :: k' 


I C J 


A h Xx.t : y/\ je J 0m,- AJ —> 9 :: K-¥ K 1 
Figure 1 The type system ^(A) associated to the alternating parity tree automaton A. 


in the alternating parity automaton A. In order to articulate the parity condition of the 
automaton with the typing derivations, a color is assigned to each node of the derivation 
tree, in the following way: 

h the node A, b u : A: :: k is assigned the color nrii in every Application rule 

Ahi: (0 mi 9\ A • • • A Ac) — > 0 :: n — > k' ■ ■ ■ A,; b u : 9^ :: n 

A + 0 mi Ai + ... + 0 mfc Aj. b tu : 6 :: k' 

of the derivation tree, 

h all the other nodes of the derivation tree are assigned the neutral color e, which means 
in some sense that they are not colored by the typing system. 

A nice aspect of our approach compared to the original formulation in [15] is that the parity 
condition traditionally applied to the alternating parity automaton A extends to a very 
simple parity condition on the derivation trees of \ fi X {Q, A). Indeed, the color of an infinite 
branch of a given derivation tree can be defined as 

b the neutral color e if no other color m € Col occurs infinitely often in the branch, 
i otherwise, the maximal non-neutral color m £ Col \ {e} seen infinitely often. 

Then, an infinite branch of the derivation tree is declared winning precisely when its color 
is an even integer (and in particular different from the neutral color). A winning derivation 
tree is then defined as a derivation tree whose infinite branches are all winning in the sense 
just explained. 


3.3 Soundness and completeness 


Once the notion of infinite winning derivation tree explicated, as we have just done in the 
previous section, there remains to relate this winning condition to the acceptance condition 
of alternating parity automata. To that purpose, and for the sake of the presentation, we 
choose to restrict ourself to productive recursion schemes, as it is also done in 15 . Note that 


it is only a very mild restriction, since every recursion scheme Q can be transformed in to a 
productive recursion scheme Q' which outputs a special leaf symbol f l whenever the Bohm 
evaluation of the original scheme Q would have infinitely looped. The following theorem 
establishes a soundness and completeness theorem which relates the winning condition on the 
infinite derivation trees of f fi X {G, A) to the parity acceptance condition of the automaton A 
during its exploration of the infinite tree [£] generated by the recursion scheme Q: 
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► Theorem 4 (soundness and completeness). Suppose given a productive recursion scheme 
Q and an alternating parity automaton A. There exists a winning run-tree of A over [(?] 
with initial state q if and only if the sequent 


S : q :: _L h S : q :: _L 


(13) 


has a winning derivation tree in the type system Yfi X (G,A). 

There are several ways to establish the theorem. One possible way is to establish an equiva¬ 
lence with the original soundness and completeness by Kobayashi and Ong 15 . One should 
be careful however that the original proof in 15 was incomplete, and has been corrected 


in the (unpublished) journal version of the paper. In order to establish the equivalence, 


one shows that the existence of a winning derivation tree of the sequent (131 in the inter¬ 
section type system YfixiGjA) is equivalent to the existence of a winning strategy for Eve 
in the parity game defined in [15| . Another more direct proof is possible, based on the 
reformulation by Haddad [ll of Kobayashi and Ong’s treatment of infinitary (rather than 
simply finitary) sequences of rewrites on higher-order recursion schemes. It is in particular 
important to observe that the infinitary nature of computations requires to extend the usual 
soundness and completeness arguments based on Bohm trees, finite rewriting sequences and 


continuity. This point was apparently forgotten in 15 and corrected in the journal version 
of the paper. 


4 An indexed tensorial logic with colors 


The notation 9 is used in our intersection type system \fi X {Q, A) as a way to stress the 
modal nature of colors, and it replaces for the better the notation ( 6 , m) used by Kobayashi 
and Ong in 15 . As we will see, the discovery of the modal nature of colors is fundamental, 


and is not just a matter of using the appropriate notation. In particular, it enables us to 
simplify both technically and conceptually the original intersection type system in 15 . By 


way of illustration, the original intersection type (111 of the binary terminal a £ £ considered 


in §3.1| is replaced by the simpler intersection type: 
a : 0 ni qi -t @„ 2 q 2 -> q 


(14) 


where n\ = fi(gi) and n 2 = fl(q 2 ). Interestingly, the color of the state q is not mentioned 
in the type anymore. The reason is that this alternative account of colors achieved in our 
type system is not just “simpler” than the original one: it also reveals a deep and somewhat 
unexpected connection with linear logic, since as we will see, this “disparition” of the color 
f 1(q) in (14) is related to the well-known linear decomposition A => B = \A — o B of 
the intuitionistic implication in linear logic. One essential difference however is that the 
exponential modality « ! » of linear logic is replaced by a family of modal boxes f2(m) which 


formally defines what Mellies calls a parametric comonad in 19 17 


This key observation enables us to translate the intersection type system f fi X (G, A) into 
an infinitary variant of linear logic equipped with a family of color modalities noted n m 
for m £ N. A nice feature of the translation is that it transports the intersection type 
system ffi X (G 7 A) which depends on Q and A into an intersection type system which does 
not depend on them anymore — although it still depends on the set Q of states of the 
automaton. The infinitary variant of linear logic which we use for the translation is 

indexed in the sense of Bucciarelli and Ehrhard 2j3 . In particular, the finite or countable 
intersection types f\ ie j9i of Yfi x (G,A) are translated as finite or countable indexed 
families [9i \ i £ I] of formulas of the logic, 
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tensorial in the sense of Mellies 18-20 . In this specific case, every negated formula of 


the logic is negated with respect to a specific state q £ Q of the automaton, and is thus 

q 

of the form a q, which may be alternatively written as —> q a or even as -i a. 

In this way, one obtains an indexed and colored variant of tensorial logic, called LT(Q) in 
the sequel, and whose formulas are inductively generated by the following grammar: 


A, B ::= 1 | A®B \ ~< q A \ Q m A \ [Aj \ j £ J] (to £ Col, q £ Q) 

As already mentioned, following the philosophy in [3 , the finite or countable indexed set 
[aj | j € J] internalizes the intersection operator of Yfi X (G, -4) in our indexed tensorial logic, 
see our companion paper |9j for details. Importantly, the resulting indexed logic TL(Q) can 
be used as an intersection type system refining the simply-typed A-calculus in just the same 
way as Yfix{G,A), see the Appendix . In particular, the fact that □ defines a parametric 
monoidal comonad in the logic means that the sequents 


□ e A h 

Umaxfmi, m2) A 

□m A ® C m B h 


A 

f-lmi [—I7712 A 
□m (A ® B) 


are provable for all colors to, mi,m 2 £ N, and all formulas A,B. In order to deal with 
recursion schemes, we admit derivation trees with finite or countable depth in the logical 
system TL(Q). The nodes of the derivation trees of TL(Q) are then colored in the following 
way: 

b every node T b M : A :: k in a Right introduction of the modality n m '■ 


T \- M : A :: k 
□ m T b M : □ m A :: k 


Right D m 


is assigned the color m. of the modality, 
h all the other nodes of the derivation tree are assigned the neutral color e. 

The winning condition on an infinite derivation tree of TL(Q) is then directly adapted 
from the similar condition in Yfi X (G,A). Thanks to this condition, we are ready to state a 
useful correspondence theorem between Yfi X (G, A) and TL(Q ) for any (productive) recursion 
scheme G ■ Suppose that for each F £ AT of kind k(F) of the recursion scheme Q , we introduce 
a new free variable freeze(F) of kind k(F) —> n(F) ; that we replace each A-term TZ(F) 
by its /?7?-long normal form ; and finally, that we substitute each occurrence of F appearing 
in any /3r/-long normal form 7Z(G) of the recursion scheme Q with the A-term freeze(F) F 
of the same kind k(F). This transformation induces a context-free grammar of « blocks» 
consisting of the /3r?-long 72.(G)’s, which generates an infinite A-term in /3rj -long normal form, 
noted term(^), with free variables of the form freeze(F). Moreover, this infinite A-term 
term{G) is coinductively typed in the simply-typed A-calculus by the typing judgment: 


, freeze(F) : k(F) —> k(F) , ... b term(G) : J_ (15) 


where F runs over all the non-terminals F £ Af of the higher-order recursion scheme Q. At 
this point, we are ready to recast our Theorem [4] in the proof-theoretic language of indexed 
tensorial logic: 

► Theorem 5. There exists a winning derivation tree in Yfi x {G,A) of the sequent 

S : 0 £ q 0 ■■■■ -L b S : q 0 :: T (16) 


if and only if there exists a winning derivation tree in TL(Q) of a sequent 


T b term(G ) : qo ■■ -L 
refining the typing judgment (15). 


( 17 ) 
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5 Putting all together: relational semantics of linear logic and 
higher-model model-checking 

Once the connection between higher-order model-checking and indexed tensorial logic es¬ 
tablished in ^4] there remains to exhibit the associated relational semantics of linear logic, 
following the ideas of Bucciarelli and Ehrhard [2}[3]. This trail leads us to an infinitary and 
colored variant of the usual relational semantics of linear logic, developed in our companion 
The key observation guiding the construction is that the functor 


paper 


10 


□ 


A i —y Col x A 


Rel 


->■ 


Rel 


equipped with the coercion maps 

{(((m, a) , (m, b )) , (m, (o, b ))) | a € A, b £ B, m £ Col} 
{ (*, (m, *)) me Col } 

{ ((max(mi, m 2 ), a) , (mi, (m 2 , a))) | a € A} 

{ ((e, a) , a) | a G A } 


□ A 


□ B 
1 

□ A 

□ A 


□ (A <8 

□ 1 

□ □ A 
A 


B] 


defines a lax monoidal comonad □ : Rel Rel on the category Rel of sets and relations. 
Moreover, the comonad distributes (or better: commutes) with the exponential modality £, 
in such a way that these two comonads compose into a new exponential modality of linear 
logic £ defined by the equation £ A = £ □ A. A Conway operator Y can be then defined 
in order to reflect in the relational semantics the definition of the winning condition on 
the infinite derivations of TL(Q). This fixpoint operator can be seen as a combination of 
the inductive and coinductive fixpoints of the model, where the color of an input indicates 
whether the fixpoint operator should be defined inductively (when the color is odd or neutral) 
or coinductively (when the color is even). The relational interpretation of a AY-term t in 
this infinitary model is denoted as [f] $. The interpretation [<5] ^ of the transition function 
S is defined similarly as for [5] ^, except that the color information is incorporated in the 
semantics following the comonadic principles underlying the translation (14) in §4| Typically, 


the transition (10 ) is interpreted in the colored relational semantics as 


([], ([(X%o), Qo), (ft(gi),3i)],5o)) G 


IB 


The last contribution of this paper, which underlies our companion paper 10 but is not 


stated there, establishes a clean correspondence between the relational semantics of a higher- 
order recursion scheme Q (seen below as a A Y-term tg ) and the exploration of the associated 
ranked tree [(?] by an alternating parity automaton A: 

► Theorem 6. An alternating parity tree automaton A with a set of states Q has a winning 
run-tree with initial state qo over the ranked tree [(?] generated by the AY -term tg if and 
only if there exists u £ [<Y]^ such that (u, q 0 ) G ftgji , where [£*]* = M count (Col x \6ji ) 
denotes the set of finite-or-countable colored multisets of elements of [<5J$ . 


6 


Related works 


The field of higher-order model-checking was to a large extent started at the turn of the cen¬ 
tury by Knapik, Niwinski, Urzyczyn, who established that for every n > 0, S-labelled trees 
generated by order-n safe recursion schemes are exactly those that are generated by order-n 
pushdown automata, and further, that they have decidable MSO theories. The safety condi¬ 
tion was relaxed a few years later by Ong, who established the MSO decidability for general 
order-n recursion schemes, using ideas imported from game semantics. Unfortunately, Ong’s 
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proof was intricate and somewhat difficult to understand. Much work was thus devoted to es¬ 
tablish the decidability result by other means. Besides the type-theoretic approach initiated 
Hague, Murawski, Ong, Serre 


by Kobayashi 14 15 


12 developed an automata-theoretic 


approach based on the translation of the higher-order recursion scheme Q into a collapsible 
pushdown automaton (CPDA), which led the four authors to another proof of MSO decid¬ 
ability for order-n recursion schemes. A clarifying connection was then made by Salvati and 
Walukiewicz between this translation of higher-order recursion schemes into CPDAs and the 
traditional evaluation mechanism of the environment Krivine machine 22 . Following this 


discovery, Salvati and Walukiewicz are currently developing a semantic approach to higher- 
order model checking, based on the interpretation in finite models of the A-calculus with 
fixpoint operators, see 23 24 for details. The idea of connecting linear logic to automata 
theory is a longstanding dream which has been nurtured by a number of important contribu¬ 
tions. Among them, we would like to mention the clever work by Terui 25 who developed a 
semantic and type-theoretic approach based on linear logic, intersection types and automata 
theory in order to characterize the complexity of evaluation in the simply-typed A-calculus. 
In a different but related line of work, explicitly inspired by Bucciarelli and Ehrhard’s in¬ 
dexed linear logic (2], 3], de Carvalho [5] establishes an interesting correspondence between 
intersection types and the length of evaluation in a Krivine machine. 


/ Conclusions and perspectives 


The purpose of the present paper is to connect higher-order model-checking to a series of 
advanced ideas in contemporary semantics, like linear logic and its relational semantics, 
indexed linear logic, distributive laws and parametric comonads. All these ingredients meet 
and combine surprisingly well. The approach reveals in particular that the traditional treat¬ 
ment of inductive-coinductive reasoning based on colors (or priorities) is secretly based on 
the same comonadic principles as the exponential modality of linear logic. 

Besides the conceptual promises offered by these connections, we would like to conclude 
the paper by mentioning that this stream of ideas leads us to an alternative and purely 
semantic proof of MSO decidability for higher-order recursion schemes, after 


12 15 21 


The basic idea is to replace the infinitary colored relational semantics constructed in ^5] 
by a finitary variant based on the prime-algebraic lattice semantics of linear logic. From 
a type-theoretic point of view, this lattice semantics corresponds to an intersection type 
system with subtyping for linear logic recently formulated by Terui |25| . We have shown 
in a companion paper [8] how to recover the MSO decidability result for order-n recursion 
schemes by adapting to this finitary semantics of linear logic the constructions performed 
here for its relational semantics. One interesting feature of the resulting model of the AF- 
calculus is that a morphism D ^ E in the Kleisli category consists in a continuous function 


/ : D x ••• x D — > E 

n 

where n is the number of colors considered in the semantics ; and that the fixpoint Y f of a 
morphism / : D —> D is defined in that case by the alternating formula 

Yf = VX n .HX n -i ... VX 2 .HX 1 .VXQ.f{Xo,...,X n ) 

where we suppose (without loss of generality) that n is even, where /i and v denote the 
least and greatest fixpoint operators, respectively. We believe that the apparition of this 
simple formula and the fact that it defines a Conway operator Y and thus a model of the 
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A Y-calculus is a key contribution to the construction of a semantic and purely compositional 

account of higher-order model-checking. 
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A Logical specification and automata theory 
A.l Monadic second-order logic and modal ^-calculus 

The purpose of higher-order model-checking is to abstract the behavior of a functional 
program with recursion as a tree approximating the set of its potential executions, and 
then to specify a logical property to check over this tree. The tradition in higher-order 
model-checking is to consider monadic second-order logic, a well-balanced choice between 
expressivity - it contains most other usual logics over trees - and complexity: the satisfi¬ 
ability of a formula is decidable for infinite structures of interest - as infinite trees (Rabin 
1969). Higher-order verification has a different approach: the question is whether a given 
tree satisfies the formula - or whether an equivalent automaton accepts it. A first step 
towards this automata model for MSO is 

► Theorem 7 (Janin-Walukiewicz 1996). MSO is equi-expressive to modal //-calculus over 
trees. 

where modal //-calculus formulae are defined by 

<fi ::= X\£\(f>\/(f>\(f>A(f>\0(f> \ <>i <p \ //A. <j> \ vX. </> 

for / £ E. Given a ranked tree, the semantics of a formula is the set of nodes where it holds. 
The predicate f is true on /-labelled nodes, □ <j> is true on nodes whose succesors all satisfy 
</>, Oj cf> is true on nodes whose i th succesor satisfies <f>, and the // and v are two fixpoints 
operators which can be understood in two different manners. Semantically, they are dual 
operators, // and v being respectively the least and greatest fixpoint on the semantics of 
formulae. 

Given a E-labelled ranked tree whose set of nodes is N, whose branching structure is given 
by a finite family of successor functions succi : N —» N, and whose labelling is described by 
a function label : N —> E, the semantics of a closed modal //-calculus formula cj> is defined 
as \\(p\\® where 0 denotes the unique function 0 —► N, and for a function V : Var —> N and 
a modal //-calculus formula ip, the semantics ||'0||v are defined inductively: 

“ IMIv = { n G X | label(n ) = a} 

- llATHv = V(X) 

- Mlv = N\m v 

- 110 v V’llv = Il0llv u IMIv 

m || Oj 0||v = {n £ N | ar(n) > i and succi(n ) £ 110||v} 

- ]|//X0(X)||v = n {MCN I 110(A) 11 v[ x^M] CM} 

where V[X <r- M] coincides with V except on X which it maps to M. The semantics of 
A, □ and v are defined using de Morgan duality. 

Another understanding of // and v is syntactic and closer to automata theory: both allow 
the unfolding of formulae 

jiX. <j)[X] —<j)[fiX. 4>{X\] and vX. <j)[X] —> v <f>[uX. 4>[X\} 

but —may only be expanded finitely, while —>•„ is unconstrained. The semantics of a 
formula may then be understood as the set of positions from which it admits unfoldings 
which are logically true and which do not use infinitely. 
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A.2 Alternating parity tree automata 

From this syntactic interpretation of fixpoints over formulae, we can define a class of au¬ 
tomata corresponding to modal /x-calculus, namely alternating parity automata (APT), 
whose purpose is to synchronise the unraveling of formulas with symbols of the tree. These 
automata are top-down tree automata, with two additional features: 

h alternation: they have the power to duplicate or drop subtrees, and to run with a different 
state on every copy, 

h and parity conditions: since run-trees are infinitary by nature, these automata discrimi¬ 
nate a posteriori the run-tree unfolding —infinitely. 

The transition function takes values in positive Boolean formulae over couples of states 
and directions, its generic shape being 



( 18 ) 


iei j&Ji 

which consists of a non-deterministic choice of i followed by the execution of \Ji\ copies of 


the automaton, each on the successor in direction dip of the current node, with state qtj. 

When for every i £ I and every direction d there is a unique j such that d% t j = d , we 
recover the usual notion of non-deterministic parity automaton. States of an APT may be 
understood as subformulae of the formula of interest, so that some correspond to subformulae 
pX. <f> and others to subformulae vX. </>. To exclude infinite unfoldings of p, every state q 
is given a color 12(g) € N. States in the immediate scope of a p receive an odd color, and 
the others an even one. If q corresponds to a subformula of q', then the coloring will satisfy 
f2(g) < f2(g'). The construction of 12 is such that the greatest color among the ones seen 
infinitely often in an infinite branch informs the automaton about which fixpoint operator 
was unfolded infinitely along it. 

A branch of a run-tree is winning when the greatest color seen infinitely often along it 
is even. A run-tree is declared winning when all its infinite branches are. Every modal 
/^-calculus formula (j> can be translated to an APT Ap such that 

► Theorem 8 (Emerson-Jutla 1991). Given a H-labelled ranked tree T, <f> holds at the root 
of T if and only if Ap has a winning run-tree over T. 

A.3 An interactive interpretation of APT 

Recall that a parity game is a graph in which each vertex v £ V belongs to a player: Eve or 
Adam. It can be understood as a game where a token moves from vertex to vertex, starting 
from the initial one, and taking on each vertex an outgoing edge chosen by the player who 
controls it. The resulting interaction is called a play , and a maximal play is finite if and only 
if it ends on a vertex without outgoing edges. There is a coloring function 1 l : V —> N, and 
the winning condition over infinite plays is defined just as for infinite branches of run-trees. 
For finite maximal plays, the player controlling the last vertex loses. 

A strategy for a player is a map from the set of plays ending with a node he controls to 
V. It indicates the player which move he should take during a play. It is positional if it can 
be recovered from a function V — > V. The strategy is winning (resp. colorblind ) if every 
maximal play (resp finite maximal play) in which it is followed by the player is winning for 
him. 

► Theorem 9 (Martin 1975). Parity games enjoy positional determinacy: given an initial 
vertex, one of the players has a winning positional strategy from it. It is computable when 
the game is finite. 
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The execution of an APT over a tree T may then be understood as a parity game in 
which Eve constructs a run-tree by playing the non-deterministic choice of the transition 
function (181: she selects i, while Adam chooses a direction to explore by picking j £ Ji. A 
play is thus an exploration of a branch - controlled by Adam - of a run-tree built by Eve. 
Then Eve has a winning strategy from the root (and the initial state) if and only if she can 
build a run-tree in which Adam can not find a branch that violates the parity condition or 
is rejected by the automaton: she has a winning strategy if and only if A has a winning 
run-tree over T. 


B 


Higher-order recursion schemes 


Functional programs are a challenge for verification, as they feature higher-order recursion. 
Higher-order recursion schemes (HORS) provide an abstract model of functional programs 
which precisely focuses on the complex program flow induced by this recursive power. HORS 
produce trees abstracting the set of executions of programs. They notably do not allow the 
evaluation of conditionals nor the treatment of references. 

Consider a signature E, a set of variables V, and a set of non-terminals A f. The function 
kind is extended to VWA f with a simple type for each variable and non-terminal. A HORS is 
the data of an axiom S € Af of simple type _L and of a function 7Z mapping each non-terminal 
A/" to a closed term 


TZ(F) = Axi....Ax n .t (19) 

of simple type kind(F'), and such that each of the Xi is in V and that t is a term without 
abstractions. 

The order of Q is max ({order(kind(i 7 ')) | F € A/”}). We define inductively the rewriting 
relation —>g over terms by: 

h F t\ ■ ■ ■ t n -^g t[xi := ij] if 7 Z(F) = Aaq • • • Ax n . t, 
h if s —>g t then s u —>g t u and u s —>g u t. 

The value tree [£] of the scheme, when it exists, is defined as the limit tree obtained by this 
infinite rewriting process starting from S, and is a E-labelled ranked tree. 

We define the term t(Q) as the one obtained by considering 72. as a regular grammar. It 
is the infinite term corresponding to Q ; its /3-reduction computes [(?]. 

► Example 10. Given E = { if : 2, data : 1, Nil : 0,}, consider the recursion scheme 

S = L Nil 

L = \x. if x (L (data x ) 

Its value tree is depicted in Figure [2j Even though the scheme is very simple, this is not a 
regular tree: it has infinitely many different subtrees. A consequence is that the application 
of Theorem [9] over [(?] does not suffice to decide the existence of a winning run-tree over it. 
The effect of the transitions 


%o,if) = (2, go) A (2, qi) and <5(gi,if) = (l,gi) A (2,g 0 ) 


is depicted in Figure [3] 
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Nil 



if On 



Nil 

Figure 2 An order-1 value tree. 
Axiom 


Figure 3 An APT run-tree. 


x : /\ { . } 0n(fl 4 ) 8i ■■■ k b x : Oi :: k 
{ I 1 < i < n,l < j < ki} satisfies 5a{q, a) 


(igVua f) 


lha : AJllEmi* 


A7 = 1 ^ m nj Qnj Q ” -L —>•••—> _L —>• _L 


for a £ E and rriij = max(fl(g; 


App 


A I- t : (0 mi 8i A • • ■ A 0 mfc 8 k ) -> 0 :: 


Ai h u : :: ft • • • A& \~ u \ 6k \\ n 


A + 0 mi Ai + ... + [£] mfc A/c \~ tu \ 6 w k! 


A, x : /\ ieI Oi :: k h t : 6 :: k' 


I C J 


A b Ax.f : Oj'j -> 0 :: k k’ 

Figure 4 The Kobayashi-Ong type system KO(A) associated to the alternating parity tree 
automaton A 


C Connection with the Kobayashi-Ong approach 


C.l The Kobayashi-Ong type system 

Consider a coloring function fl : Q —> N, we extend it to intersection types by setting 
fi(r —> a) = fl(cr). The original type system of Kobayashi and Ong is recasted in Figure 
[4] Note that every rule of a recursion scheme admits a finite number of colored intersection 
typings (121, where the contexts consist of refined typings of the non-terminals occuring in 


F{F). In a context A, a non-terminal G typically occurs as 

G : f\ An, 0, :: kind(G) 
iei 


( 20 ) 


C.2 Recursion as a parity game 


Fixing a recursion scheme Q and an APT A, we obtain a finite set of typings (121 for each 


rewrite rule. In order to account for recursion, Kobayashi and Ong introduce the finite 
parity game Adamic(Q , A) , in which Adam incrementally tries to disprove Eve’s typing by 
picking non-terminals to unfold. 

More specifically, Eve’s vertices correspond to colored typings for non-terminals, while 
Adam’s vertices are typing contexts. There is an edge from a typing F : 0 m 9 :: k to a 
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context A if and only the sequent 
A h K{F) : 9 :: k 


( 21 ) 


is provable in the colored type system KO(A), and there is an edge from a context A to a 
typing G : 9 :: tt if and only if G occurs in A with this refined type - that is, if G occurs 


in A as in (20 1 , if there is i £ I such that m = rrii and 9 = 6V Note that the resulting game 
is finite, due to the idempotency of the intersection operator. Vertices F : 9 :: k receive 

color to; other vertices receive the neutral color e. 

A play is winning for Adam if and only if it ends on a node F : 0 m 9 :: n from which Eve 
has no move - that is, if she made a typing assumption she can not prove - or if it is infinite 
and such that Adam could choose infinitely often to expand a non-terminal of maximal odd 
color. Therefore, Eve has a winning strategy in this game if and only if she can ensure the 
existence of a winning sequence of typings along every possible branch of reductions in the 
scheme, leading to 

► Theorem 11 (Kobayashi-Ong 2009 115 1 ). Eve has a winning strategy in the parity game 
Adamic(Q , A) iff the alternating parity tree automaton A has a winning run-tree over [C?]. 


C.3 From Adamic(Q,A ) to Edenic(Q,A) 

Despite its intuitive connection with type theory, the game Adamic(Q, A) does not describe 
the on-the-fly construction of a branch of a typing proof, for two essential reasons: 


Eve does not provide a witness of the typing proof of the sequent (211 which builds A, 


so that proofs can not be extracted from plays, and that no distinction is made between 
different derivations with the same conclusion, 
h and Adam does not play an occurence of a non-terminal in 1Z(F ), but a typing which 
could, due to idempotency, correspond to several Axiom leaves of a derivation tree. 

In order to understand the game Adamic{Q , A) from a purely type-theoretic point of view, 
we introduce the parity game Edenic(Q, A), which only differs on these two points: 

Eve plays typing proofs of sequents pTj l in addition to the context A they build, 
h and Adam plays occurences of non-terminals appearing in the term TZ(F) - or, equiva¬ 
lently, picks an Axiom leaf introducing a non-terminal in the proof n provided by Eve at 
the previous turn. 

Note that the resulting game is bigger, yet finite. We prove the following correspondence: 

► Proposition 1 . The parity games Adamic(Q , A) and Edenic(Q,A) are equivalent, in the 
sense that a player has a winning strategy in a game if and only if he does in the other. 

Note that the collapse of strategies of Edenic(Q , A) to strategies of Adamic(Q , A) relies 
on a uniformization property which is reminiscent of the proof of the positional determinacy 
of parity games: from a winning strategy for Eve in Edenic{Q 1 A), one can extract such a 
strategy in which, given a colored type, any occurence of a non-terminal with this type will 
be mapped to the same typing proof. 


C.4 Colored typings 

From the parity game Edenic{Q 1 A ), we can easily define a corresponding type system 
similar in the spirit to Yf i x {G> A) , but using Kobayashi and Ong’s original coloring policy. 
Consider the system KOfi X (Q,A) obtained from KO(A) by restricting the Axiom rule to 
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variables x £ V, and by adding the f ix rule 


fix 


T b K(F) : 9 :: k 
F : @n(8) 9 :: k b F : 9 :: k 


dom(r) C J\f 


As in Yfi X (G, A), derivations of infinite depth are allowed in KOfi x (G, A). Colorblind strate¬ 
gies a for Eve in Edenic(Q , A) are easily translated as proofs 7r(cr) in KOfi X (G,A), by in¬ 
crementally plugging to every fix rule the finite proof-tree she answers in cr, starting from 
the unfolding of the axiom S of the scheme 


fix 


T b K(S) : q 0 :: J 


S ■ @fi( 9o ) qo ■■ -L b S : q 0 ■■ -L 


Of course, the inverse process can be defined as well, leading to the unique definition for 
every derivation tree tt in KOfi X (G, A) of a colorblind strategy er(7r) for Eve in Edenic(Q, A). 
Adam’s role in Edenic(Q, A) is also transported in KOf lx (G. A)', its strategies leading to 
infinite interactions with cr are in one-to-one bijection with the infinite branches of 7r(cr). 
Strategies resulting in finite interactions are not quite branches, but paths leading to an 
instance of a fix rule expanding a term without non-terminals. 

In order to account for the parity condition in Edenic(Q, A), we color the fix rules of 


the tree in the same manner: every fix rule expands a non-terminal occuring as (201 in the 


context introduced by the immediately preceding instance of fix ; it receives the color m, 
corresponding to the refined type 0i of the occurence to expand. The first fix rule, which 
expands S, receives color 0. Now the usual parity condition for trees is incorporated to 
KOfi X (G , A) derivation trees: winning derivation trees are those whose infinite branches all 
satisfy the parity condition. 


► Theorem 12. h A colorblind strategy a for Eve is winning in Edenic(Q , A) if and only 
if 7r(cr) is a winning derivation tree of KOfi X {G, A). 
h A derivation tree tt of KOfi X (G, A) is winning if and only if Eve’s colorblind strategy 
ct(tt) is winning in Edenic(Q , A ). 


C.5 Proof of Theorem |4] 


Theorem [4] is central in this article, as it discloses the comonadic behaviour of the coloring 
annotation of the alternating parity automaton. It admits at least three proofs: 
h one proof consists in a minor and at the same time clarifying alteration of the proof given 
by Kobayashi and Ong in the unpublished journal version of their original article, 
b another more direct proof is based on the equivalence between the game Edenic(Q , A) 
and of the game Edenic new (G , A) obtained by playing typing derivations of the f(*4) 
type system instead than in KO(A), 

h the authors are currently writing a third proof formulated in a purely proof-theoretic 
language and based on standard techniques in linear logic and semantics, as well as on 
the proof by Kobayashi and Ong in the unpublished journal version of their original 


article 15 and on the proof by Haddad 11 


Adapting Kobayashi and Ong’s original proof. We start by briefly explaining how the 


original proof of soundness given in Kobayashi and Ong’s unpublished journal version of 15 
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may be very naturally adapted to the comonadic color policy formulated in our paper. The 
key idea is to change the definition of the color fl(C[] g ) of a context in the following way: 

- if G\\q = []„ then fi(C[] g ) = e, 

. if C[\ q = (a, q')^ ■ ■ ■ Ti-.! C'[\ q T i+1 • ■ ■ T n , then 

- if C'[\q = []g, then Q((7[]q) = e, 

if C'[\ q = </?, q")T[ ■■■T' 3 _ 1 C"[\ q T' 3+ 1 ...2^,thenfi(C[] g ) = max(f2(g"), W],)). 

The definition is written here in the style of Kobayashi and Ong’s proof. However, in 
order to understand its true content, one should observe that every tree-context C[\ q is 
either trivial or has a “return state” q' defined as the state of the tree automaton labelling 
its root (a, q' ). The color of the trivial tree-context [] g is itself trivial (that is, equal to the 
neutral color e) while the color of a non-trivial tree-context C[\ q is equal to the maximal 
color encountered from its return state q' (not included) to its hole (not included). This 
reflects the comonadic nature of our coloring policy, as disclosed in ^dj If we write C[} for 
a non-trivial tree-context with return type q' , we thus have that the color of a context 

(a, q") T 1 ---T i _ 1 C[] q q T i+1 ••• T n 
is equal to max (</), ^ . 

To summarize, the general philosophy of tensorial logic is that the color c = fl(<?) which 
labels the state q in Kobayashi and Ong’s approach labels in our case the comonadic box 
□ c which encloses the state q. The definition of Kobayashi and Ong’s function A should be 
adapted accordingly: in the case (i) of the definition of the rewriting relation > in Section 4.1 
of their unpublished journal version of [15], A{Z i—> fl(< 7 )} must be changed to A{Z i—> e} in 
order to reflect the fact that the tree context is trivial in that case. These revised definitions 
of 0 and A clarify the secretely comonadic principles underlying the proofs of Lemma 4.4 
and 4.5 of Kobayashi and Ong’s unpublished journal article, which for that reason can be 
easily adapted to our new, comonadic coloring policy. The remaining part of the proof 
of soundness (in particular Lemma 4.8) works exactly in the same way in our setting as 
in Kobayashi and Ong’s original formulation. This provides a proof of soundness for the 
system ff f ix (S,A). 


Another proof directly based on parity games. An alternative and simple way to prove 
Theorem [4] (soundness and completeness) is to return to the original framework of parity 
games, and in particular to the equivalence between Adamic(Q,A) and Edenic(Q , A) es¬ 
tablished in Proposition [l] Remember indeed that the parity game Edenic{Q ,A) is closely 
related to the proof-system KO(A). We thus introduce a minor variant of this parity game 
called Edenic new (Q , A) adapting Edenic(Q,A) to the proof-system j'(A), which plays for 
KO(A) the same role as the system yf ix (Q 1 A) for KOf ix (Q,A). It is easy to recast Theo¬ 
rem [12] in this setting, and to show that there is a correspondence between Eve’s colorblind 
strategies in the parity game Edenic new (Q , A) and the derivation trees in the type system 
Yfi X (Q 1 A). Moreover, this correspondence maps winning strategies to winning derivations, 
and conversely. We shall now prove the following equivalence: 

► Proposition 2. If Q is a productive higher-order recursion scheme, then the parity games 
Edenic(Q , A) and Edenic new (Q , A) are equivalent, in the sense that a player has a winning 
strategy in one of these games if and only if he has a winning strategy in every of these 
games. 
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We have already established the equivalence between Adamic{Q , A) and Edenic(Q,A) in 
Proposition [T] In order to prove Proposition [2] we observe that there exists a one-to-one 
correspondence between KO(A) and T(A) derivation trees. This implies that there exists 
a one-to-one correspondence between Eve’s colorblind strategies in Edenic(Q,A) and in 
Edenic new (Q,A). The same is true for Adam: his strategies in both games are identical. 

In order to establish that the parity games Edenic(Q , A) and in Edenic new (Q , A) are 
equivalent, there remains to prove that this correspondence preserves the color of infinite 
branches. Notice that the productivity of the recursion scheme Q excludes the existence of 
an infinite branch containing, after a finite prefix, only non-terminals and bound variables on 
head positions: indeed, their head reduction would lead to _L, which is forbidden by produc¬ 
tivity. A consequence is that every infinite branch of a productive recursion scheme Q visits 
infinitely often a term in head position in an Application rule, so that every such infinite 
branch is assigned countably many non-neutral colors in Edenic new (Q , A). Of course, be¬ 
tween two such visits to non-neutral colors, the neutral color e is played in Edenic new (Q , A), 
whereas the last visited color is repeated in the original game Edenic(Q , A). However, since 
such repetitions are always of finite length, the maximal color visited infinitely often in 
an infinite play of the strategy for Eve (resp. for Adam) in Edenic(Q , A) is precisely the 
same as the color visited infinitely often in the corresponding strategy for Eve (resp. for 
Adam) in Edenic new (Q , A). As a consequence, the correspondence between Edenic(Q , A) 
and Edenic new {Q , A) preserves the colors of infinite plays and thus transports a winning 
strategy for Eve (resp. for Adam) in Edenic(Q , A) to a winning strategy for Eve (resp. for 
Adam) in Edenic new (Q , A) and conversely. This completes the proof of Proposition [2] 
Together with the equivalence between Adamic(Q,A) and Edenic(Q , A) established in 
Proposition [T] this equivalence induces Theorem[4j at least for a productive recursion scheme 
Q. The soundness and completeness theorem follows indeed for the corresponding theorem 
established by Kobayashi and Ong (Theorem [TT| for the parity game Adamic(Q , A) . The 
conceptual novelty of course of Theorem [4] is that it reveals the comonadic nature of colors 
in higher-order model-checking, and a promising connection of this field with linear logic. 

D Typing terms with colored tensorial logic 

The indexed and colored variant TL(Q) of tensorial logic with colors is introduced and 
discussed in fjdj The main logical rules of the system are formulated below in Figure [5] In 
order to simplify their presentation, we choose to write 

~~'g (^1 > ' " ' i A n ) 

for the formula of indexed tensorial logic : 

~>q (Ai <g> • • • <g> A n ) = Ai -° ••• —o A n q. 

Similarly, and for the sake of uniformity, we choose to write 

(«1, ' • • , «n) 

for the type (or kind) of simply-typed A-calculus: 

K\ —y ' ' ' —^ K n t _L. 

Note that, for the sake of simplicity, we prefer to keep implicit the index J, J or K appearing 
on the side of each sequent of the logical rules below. The reader interested in the precise 
treatment of such indexes will find the detailed treatment in the work by Bucciarelli and 
Ehrhard [2jj3: as well as in our companion paper |9 . 
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Axiom 


_g 6 Q _ 

x : q :: A. P x : q :: A. 


Left □ 


r, x : A :: k P M : B :: K 1 
r, x : D e A :: k P M : B :: n' 


r I- M : A :: k 
□m I M : Dm A :: K 


Right n m 


Dereliction 


r, x : A :: K P M : B :: k' 
F, x : [A] :: k M ■. B :: k' 


I- M : Aj :: k (Vj G J) 
V ; ,l • •'/ : ,/C •/ :: K 


Promotion 


Left negation 


ri P TVi : Ax :; k x 
(EIU ro,/ : (Ax, 


* * * r n P iV„ : A„ a /tn g P Q 

• • • , A n ) :: -i (/cx,..., K n ) P f N ± ■■■ N n : q :: A 


Right negation 


T, x\ : Ax :: Kx, ..., x n : A n :: K n P M : q :: A _ ggQ 

r P Aa x * * * Ax n . M . —*q (Ax, ■ ■ ■, A n ) .. — < (k^x, ..., /tn) 


Figure 5 Extension of tensorial logic with intersection types and color modalities (main rules) 








